Analysis Date2016-01-28 07:08:42
MD54e2b1e7eaa6af503b14bbf2d604c9946
SHA1d80cdb55f4c7502cc2976d00e4aa1e9db42d6672

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dd31cb84d4f2fcc8ad5f831add267054 sha1: e5c1f9cf5c791c3a2dd632d2ef35e5ae80e2c6b3 size: 86016
Section.rdata md5: e40f75e28e3a538abba3a035b193586e sha1: 367fc461f365e9f33394af6432a1a0684b4996e0 size: 49152
Section.data md5: 0d62e2e9438e65cf7e8e2f1b1bdd6153 sha1: 3f95d82985ebf9a601ea3c387de6967031b946d2 size: 16384
Section.rsrc md5: de5be0e0e9ee25307467df986219e27d sha1: 80872f23d4ce20bc2c3dff058fa65f2422d6cabd size: 4096
Section.rsrc md5: ee06dfb6ae73f4cdb30875c08a30b92f sha1: 82978ad4b39c20b479b32eaf19a57e45b1ba6a8b size: 1048576
Timestamp2015-05-15 11:21:46
VersionLegalCopyright: Copyright (c) 2005-2014, Linoma Software also
InternalName: Pretty Point
FileVersion: 0.7.2966.2428
CompanyName: Linoma Software
LegalTrademarks: Pretty Point wordmark fruit
Comments: Butwhich Rain afraidyear Record Buypresentprotect snow start king touchcharge idea
ProductName: Pretty Point
ProductVersion: 0.7.2966.2428
FileDescription: Pretty Point
OriginalFilename: Foundsense.exe
PackerMicrosoft Visual C++ ?.?
PEhash41df89cb1660fa7957c804fa387b7b3b64fe844d
IMPhash300645871b195dd721d8003898585327
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)Worm/Gamarue.1209240.36
AVTwisterTrojanDldr.Wauchos.AK.hdrb
AVAd-AwareTrojan.Downloader.JRUP
AVAlwil (avast)MalOb-LV [Cryp]
AVEset (nod32)Win32/TrojanDownloader.Wauchos.AK
AVGrisoft (avg)Downloader.Small.PQR
AVSymantecDownloader.Dromedan
AVFortinetW32/Wauchos.AK!tr
AVBitDefenderTrojan.Downloader.JRUP
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Trojan.Downloader.JRUP
AVMalwareBytesTrojan.Upatre.Gen
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusTrojan-Downloader.Win32.Wauchos
AVEmsisoftTrojan.Downloader.JRUP
AVZillya!Trojan.InjectGen.Win32.2
AVKasperskyTrojan.Win32.Wauchos.a
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVBullGuardTrojan.Downloader.JRUP
AVArcabit (arcavir)Trojan.Downloader.JRUP
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader13.31443
AVF-SecureTrojan:W32/Gamarue.F
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\~
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
194.177.210.54
DNSeurope.pool.ntp.org
Type: A
91.235.212.22
DNSeurope.pool.ntp.org
Type: A
185.31.136.34
DNSeurope.pool.ntp.org
Type: A
185.53.93.157
DNSnorth-america.pool.ntp.org
Type: A
199.102.46.73
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.131
DNSnorth-america.pool.ntp.org
Type: A
45.79.10.228
DNSnorth-america.pool.ntp.org
Type: A
64.71.128.26
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSasia.pool.ntp.org
Type: A
193.29.53.170
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
106.185.48.114
DNSasia.pool.ntp.org
Type: A
157.7.154.23
DNSoceania.pool.ntp.org
Type: A
125.255.139.115
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSoceania.pool.ntp.org
Type: A
54.252.129.186
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSafrica.pool.ntp.org
Type: A
41.73.42.10
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
196.10.52.57
DNSafrica.pool.ntp.org
Type: A
196.10.54.57
DNSpool.ntp.org
Type: A
129.250.35.251
DNSpool.ntp.org
Type: A
209.244.0.4
DNSpool.ntp.org
Type: A
97.107.128.58
DNSpool.ntp.org
Type: A
108.61.194.85

Raw Pcap

Strings